towards a quantitative approach to attack...

Towards a Quantitative Approach to AttackResponse

Institut Mines-Télécom

Response

Hervé DebarUsing work performed during the PhD theses of Yohann Thomas, NizarKheir, Gustavo Gonzalez-Granadillo

« Operational security » timeline

Detection

AnomalyDetection

Misuse Alert


Detection MisuseDetection

Too manyalerts

AlertCorrelation

SIEM

Analytics Diagnosis& reaction?

2015/11/202 Towards a quantitative approach to attack response

1980 1990 2000 2005 2010 20151980 1990 2000 2005 2010 2015

Reaction models

■ Alert-triggered● Network-based

− Reset connection, block flow, …

● System-based− Kill process, disable account, …

● Independant actions, repeated for each and every alert− Marginal improvement with integration in the Bro


− Marginal improvement with integration in the Broframework[RAID2015]

■ Policy-triggered● Workflow

− Select appropriate rule− Deploy rule

■ Issues● Multiple attacks● Continuous operation


Dynamic reaction model

■ Feedback control loop[Thomas et al. 2007]● Definition of a contextual

security policy● Contexts are influenced by

IDMEF messages● Deployed policies adjust

configuration to attack


configuration to attack■ Pros

● Dynamic adjustment of posture■ Issues

● Pre-registration of contexts, one per CVE

● Finding PEPs● Conflict management

− Programmatic contextcombination


Finding the right PEPs

■ Problem : given a set of PEPs, which one is the best suited to handle an alert ?● Capability

− In transit• Network (block, kill connection, …)• System (kill process

− In acces


− In acces• Authentication (directories, …)• Communication (DHCP address, …)

● Geography− Will the PEP intersect with the malicious activity ?

■ Proposal [Kheir 2010]: service dependency model● AADL (hierarchical) provide-require interfaces● Down-the-chain: find appropriate PEP● Up-the-chain: find collateral damages


Challenges going forward

■ How to select an appropriate countermeasure from a group of candidates?● Qualitative, quantitative or a combined approach?● Which parameters to consider in the evaluation of security solutions?

■ Once a countermeasure is selected, is it possible t o combine it with other solutions?● How to calculate the combined countermeasure cost?


● How to calculate the combined countermeasure cost?● How to calculate the combined mitigation level?

■ How to manage problems when proposing a solution th at generates conflicts on the system?● What to do when solutions are mutually exclusive?

■ How to select optimal solutions for a multiple atta ck scenario?● How to calculate the combined attack surface?● One solution or a combined solution for a multiple attack?

6 2015/11/20 Towards a quantitative approach to attack response

Cost Sensitive Models

Institut Mines-Télécom7 2015/11/20 Towards a quantitative approach to attack response

Initial Return On Response Investment (RORI) Index

RORI = (ICb – RC) – OC x 100CD + OC

WhereICb� IntrusionImpactin theabsenceof securitymeasures.

Kheir et al.

Institut Mines-Télécom2015/11/208 Towards a quantitative approach to attack response

ICb� IntrusionImpactin theabsenceof securitymeasures.

RC� Combined Impact for both intrusion and response.

OC� Operational cost that includes response set-up and deployment costs.CD� Response collateral damage (cost added by the countermeasure).

� The absolute value ofICb andRC are difficult to estimate.� Evaluation of doing nothing.� RORI is not normalized to the size and complexity of the infrastructure

Constraints

Countermeasure Selection Model (1/2)

RORI = (ALE x RM) – ARC x 100ARC + AIV

Fixed Parameters Variable Parameters

Improved Return On Response Investment


Fixed Parameters Variable Parameters

Annual Loss Expectancy (ALE) �Impact Cost in the absence ofcountermeasures (e.g., $/year).

Annual Infrastructure Value (AIV)� Fixed costs regardless of theimplemented CMs (e.g., $/year).

Risk Mitigation (RM) � Percentage ofreduction of the total incident cost afterthe implementation of a countermeasure

Annual Response Cost (ARC)� costsassociated to a given countermeasure(e.g., $/year).

Countermeasure Selection Model (2/2)Improved Return On Response Investment

Improvements



Improvements

� The ICb – RC parameters are substituted by ALE x RM, which reduceserror magnitude.

� The introduction of AIV handles the case of selecting no countermeasure.� The AIV provides a response relative to the size of the infrastructure.

ALE: Annual Loss ExpectancyAIV: Annual Infrastructure ValueRM: Risk MitigationARC: Annual Response Cost

Countermeasure Selection Process

■ Limitations● Accuracy in the estimation of the

different RORI parameters. ● The process does not consider

inter-dependence among countermeasures.

● RORI does not discusses


● RORI does not discusses restrictions or conflicts between countermeasures.

● RORI limits the action of only one countermeasure over a given attack.



Sensitivity Analysis (1/3)

■ RORI

Worst Scenario ALE x RM << ARC

Perfect Mitigation RM = 1, ARC=0



-ARC

ARC+AIV

ALE

AIV

ALE x RM << ARC RM = 1, ARC=0

If ALE x RM = ARC � RORI = 0If ALE x RM < ARC � RORI < 0If ALE x RM > ARC � RORI > 0




Main Results

If ARC << AIV � RORI = ALE x RM / AIV~ WeakARC vs. AIV

Institut Mines-Télécom13

If ARC << AIV � RORI = ALE x RM / AIVIf ARC >> AIV � RORI = (ALE x RM) – ARC / ARC

~ Weak

Strong~

If ALE << AIV � RORI = – ARC / ARC + AIV If ALE >> AIV � RORI = (ALE x RM) – ARC / ARC

~ Negative

Positive~

ALE vs. AIV





Main Results

If ALE << ARC � RORI = –ARC / ARC + AIV ~ NegativeALE vs. ARC


If RM increases � RORI = ALE – ARC / ARC + AIV If RM decreases � RORI = – ARC / ARC + AIV

~

~

Risk Mitigation (RM)

Negative

Positive

14

If ALE << ARC � RORI = –ARC / ARC + AIV If ALE >> ARC � RORI = ALE x RM / AIV

~ Negative

Positive~



Multiple counter-measures ?


We do not go from 0 to 1, but from n to n+1


How to combine two or more countermeasures?

� Risk Mitigation (RM)

�Annual Response Cost (ARC)

No exact values � Approximations

ARC = ∑ (direct cost + indirect cost)

RM = Surface Covered x Efficiency


RM(CM 1 ⋃ CM 2) = RM(CM 1) + RM(CM 2)

RM(CM 1 ⋃ CM 2) = max{RM(CM 1) , RM(CM 2)}

RM(CM 1 ⋃CM 2) = RM(CM 1) + RM(CM 2)

2

OptimisticOptimistic

ARC(CM 1 ⋃ CM 2) =max{ARC(CM 1) , ARC(CM2)}

PessimisticPessimistic

ARC(CM 1 ⋃ CM 2) =ARC(CM 1) + ARC(CM2)

AverageAverage

ARC(CM 1 ⋃ CM 2) = ARC(CM 1) + ARC(CM2)

2

No exact values � Approximations


Combinatorial Axioms

Axiom 1: The cost of a combinedcountermeasure is equal to the sum of allindividual countermeasure’s cost.

ARC(C1⋃ C2) = ARC(C1) + ARC(C2)

CM 1CM 2

CM 1⋂CM2


Axiom 2: The risk mitigation (RM) for acombined solution is calculated byadding the effectiveness (EF) ofcountermeasures over the differentsurfaces they cover (SC) minus theirintersection.

SC(C1⋂C2) = SC(C1⋂C2)MIN + SC(C1⋂C2)MAX

2

RM(C1⋃C2) = SC(C1) x EF(C1) + SC(C2) x EF(C2) –SC(C1⋂C2) x min{EF(C1), EF(C2)}


Attack surface

■ Software-oriented definition● LoC● Intersection == common

code■ Does not really work for

our purpose

■ What we need to model:● Set definition● Multiple countermeasures ● Non-restrictive, Partially

restrictive, Totally restrictive● Joint vs. Disjoint

countermeasures


■ Does not really work for our purpose countermeasures

● Countermeasure Overlap

■ Countermeasure Union & Intersection● - > Attack volume


Coordinate System

SubjectAction

Object

Access ControlAccess Control


System Volume,which represents the maximal space to which a given system (e.g.S1) is exposed to be attacked.Attack Volume, which represents a portion of the system volume that is vulnerableto a given attack (e.g. A1).Countermeasure Volume,which represents the portion of the system volume that ismitigated by a given countermeasure (eg. CM1).


Inter-dimension Weighting Factor

Attack Dimension

C A R V E R Total % Weight Factor

User Account 8 7 9 7 8 7 46 40% 2

Channel 5 6 5 6 5 4 31 28% 1

Resource 7 6 6 5 7 5 36 32% 1.5

DimensionDimension--based Weighting Factorbased Weighting Factor


C-Criticality, A-Accessibility, R-Recuperability, V-Vulnerability, E-Effect, R-Recognizability

SV (S1) = CoAcc(S1) x 2 x CoIp-Port(S1) x 1 x CoRes(S1) x 1.5AV (A1) = CoAcc(A1) x 2 x CoIp-Port(A1) x 1 x CoRes(A1) x 1.5CV (C1) = CoAcc(C1) x 2 x CoIp-Port(C1) x 1 x CoRes(C1) x 1.5

Resource 7 6 6 5 7 5 36 32% 1.5

Volume CalculationVolume Calculation


Use case (Orange): Mobile Money Transfer Service


Use Case: Mobile Money Transfer System (1/5)


Severity: Minor = 100 €Likelihood: High = 12 times/year

ALE = 1200 €/year



Annual Infrastructure Value (AIV)


AIV= 2,600 €/year



Countermeasure Evaluation

C1 Do Nothing: Accept the risk and does not perform any modifications.The cost and risk mitigation level are equal to zero.

C2 Deny Transaction:Allow the user to authenticate but he/she is not ableto perform any kind of transaction.

C3 DeactivateUser Account: Temporarilydeactivationof theuseraccount


C3 DeactivateUser Account: Temporarilydeactivationof theuseraccount(e.g., for a period of 24, 48 or 72 hours).

C4 Reduce Transaction Amount: Limit suspected user accounts toperform transactions for a maximum amount of money (e.g., up to 30$, 50$,100$).

C5 Reduce Number of Transactions: Limits the user to perform acontrolled number of transactions per day (e.g., 2, 3, or 5 transactions perday).



C6 Active Alert Mode: An alert indicates that the denied user account issuspected to be under attack.

C7 Keep the Account under Surveillance:The user account is taken intoquarantine in order to punctually block operations.

Countermeasure Evaluation


C8 Activate Two-factor Authentication: Requests an additionalauthentication (e.g., passphrase, challenge response, PIN), in order toauthorize the user to perform the required transaction.

C9 Deactivate Multiple Transaction Requests:Limit the user to emit onlyone transaction at a time.



Combined Countermeasure Evaluation

Countermeasure PEP RM ARC RORI

C1. Do nothing - 0% 0€ 0,00%

C2. Deny transaction E7 72% 60€ 30,34%

C3. Deactivate user account E9 68% 55€ 28,66%

C4. Reduce transaction amount E4 60% 50€ 25,77%


Optimal Countermeasure:Activate Multiple FactorAuthentication (C8)

C4. Reduce transaction amount E4 60% 50€ 25,77%

C5. Reduce number of transactions E4 53% 30€ 22,81%

C6. Activate alert mode E4 42% 25€ 18,25%

C7. Keep account under surveillance E9 42% 40€ 17,58%

C8. Activate multi-factor authentication

E12 77% 50€ 32,75%

C9. Deactivate multi-trans. requests E9 64% 20€ 28,55%


Individual Countermeasures AnalysisExample: Example: Account Takeover Attack in the MMTS

Countermeasure RM ARC RORI Restriction

C1. NOOP 0% 0€ 0.00% Totally rest.

C2. Deny transaction 72% 60€ 30.34% Totally rest.

C3. Deactivate user account 68% 55€ 28.66% Totally rest.

C4. Reduce transaction amount 60% 50€ 25.77% Non-restrictive


C4. Reduce transaction amount 60% 50€ 25.77% Non-restrictive

C5. Reduce number of transactions 53% 30€ 22.81% Non-restrictive

C6. Activate alert mode 42% 25€ 18.25% Non-restrictive

C7. Keep account under surveillance 42% 40€ 17.58% Non-restrictive

C8. Activate multi-factor authentication 77% 50€ 32.75% Non-restrictive

C9. Deactivate multi-trans. requests 64% 20€ 28.55% Non-restrictive

RORI Average = 22.66%

Source: France Telecom Orange Labs

27


Countermeasure ARC SC EF RM RORI

C4 35€ 0.70 0.75 0.53 25.77%

C5 30€ 0.70 0.85 0.60 22.81%

C8 50€ 0.85 0.90 0.77 32.75%

C9 35€ 0.80 0.80 0.64 27.82%

C4 & C5 65€ 0.55 0.75 0.71 29.42%

C4 & C8 85€ 0.63 0.85 0.83 33.87%

C4: Reduce Transaction AmountC5: Reduce number of transactionsC8: Activate Multiple Factor

AuthenticationC9: Deactivate multiple transaction

request


C4 & C8 85€ 0.63 0.85 0.83 33.87%

C4 & C9 70€ 0.60 0.80 0.76 31.31%

C5 & C8 80€ 0.63 0.75 0.82 33.79%

C5 & C9 65€ 0.60 0.75 0.72 29.76%

C8 & C9 85€ 0.73 0.80 0.83 33.71%

C4 & C5 & C8 115€ 0.48 0.75 0.83 32.39%

C4 & C5 & C9 100€ 0.45 0.75 0.76 29.85%

C4 & C8 & C9 120€ 0.53 0.80 0.83 32.15%

C5 & C8 & C9 115€ 0.53 0.75 0.83 32.23%

C4 & C5 & C8 & C9

150€ 0.38 0.75 0.83 30.71% Source: France Telecom Orange Labs

request


Use case 2: IT system@Telecom SudParis


Use Case: Telecom SudParis System VolumeSystem Volume

Dimension Range Description Quantity WeightFactor

User Account U1:U263U264:U428U429:U633U664:U3721

Super adminSystem adminStandard userInternal user

2631652053058

4321


Channel Ch1:Ch4500Ch4501:Ch4512

Active public IPPort Class 1

450012

33

Resource R1:R40R41:R43R44:R93R94:R993

Kernel&WRXKernel&WR/WX/RX

Kernel&W/XUser&WRX, User&WR/WX/RX,

Kernel&R

40350900

5432

SV(S1) = 430,106,901,440 units3


Attack 1: Zeus

Targets:U340:U377Ch100:Ch120R110:R130

Attack VolumeAttack Volume


AV(A1) = [(38x3)x2] x [(21x3)x1] x [(21x2)x1.5] AV(A1) = 904,932 units3

C(A1)/(S1) = 0.0002%

Zeus InfectionZeus Infection


Attack 2: ConfickerAttack VolumeAttack Volume

Targets:U320:U349 & U1110:U1159Ch70:Ch149R5:R9 & R31:R40 & R115:R127

ConfickerConficker InfectionInfection


AV(A2.1) = [(50x1)x 2] x[(80x3)x1]x [(5x5)x1.5] = 900,000 units3

AV(A2.2) = [(50x1)x 2] x[(80x3)x1]x [(13x2)x1.5] = 936,000 units3

AV(A2.3) = [(30x3)x 2] x[(80x3)x1]x [(5x5)x1.5] = 1,620,000 units3


AV(A2) = 10,180,800 units3

ConfickerConficker InfectionInfection



ConfickerConficker DB Brute ForcingDB Brute Forcing


Combined Attack: Zeus & Conficker

Intersection Targets :U340:U349 Ch100:Ch120R115:R127

Attack VolumeAttack Volume


AV (A1 ⋂ A2) = [(10x3)x2] x [(21x3)x1] x [(13x2)x1,5] AV (A1 ⋂A2) = 147,420 units3

AV(A1⋃A2) = 904,932units3 + 10,180,800units3 – 147,420units3

AV(A1⋃A2) = 10,938,312units3


Countermeasure Volume

Countermeasure InformationCountermeasure Information

Counter -measure

Description User Account Channel Resource Volume (units3)

Coverage (units3)

C1.1 Behavioral detection

U300:U349 Ch1:Ch149 R121:R123 1,206,900 388,800


C1.2 Antivirus U301:U433 Ch100:Ch179 R94:R193 57,456,000 3,288,600

C1.3 Make all shares “read only”

U330:U360 Ch1:Ch110 R1:R119 25,411,320 3,260,115

C2.1 Install patches U229:U550 Ch50:Ch110 R94:R130 35,124,840 2,696,652

C2.2 Block domains U270:U449 Ch70:Ch149 R1:R30 56,052,000 3,132,000

C2.3 Create signatures U1030:U1130 Ch40:Ch90 R1:R123 14,551,218 408,807


Graphical Representation of Attacks and Countermeasures

Priority Zone

Institut Mines-Télécom35 2015/11/20 Towards a quantitative approach to attack response

Individual Countermeasure EvaluationCountermeasure EvaluationCountermeasure Evaluation

Counter-measure

Description SC EF RM ARC RORI

SV = 430,106,901,440 units3 � 1,000,000,000 €AV(A 1⋃A2) = 10,938,312units3 � 25,431.61 € (ALE)AIV = 3100 €


C1.1 Behavioral detection 0.04 0.60 0.02 1,200€ -13.71%

C1.2 Install Antivirus 0.30 0.70 0.21 1,000€ 105.87%

C1.3 Make all shares “read only”

0.30 0. 50 0.15 1,450€ 51.97%

C2.1 Install patches 0.25 0.70 0.18 1,250€ 73.58%

C2.2 Block C&C domains 0.28 0.80 0.22 800€ 125.46%

C2.3 Create signatures IDS 0.04 0.75 0.03 2,000€ -24.26 %

Average = 53.19%



Countermeasure Description SC EF RM ARC RORI

C1.2 Install Antivirus 0.30 0.70 0.21 1,000€ 105.87%

C2.1 Install patches 0.25 0.70 0.18 1,250€ 73.58%

C2.2 Block C&C domains 0.28 0.80 0.22 800€ 125.46%

RM(C ⋃C ) = SC(C ) x EF(C ) + SC(C ) x EF(C ) –⋂


Countermeasure SC(int) EF(min) RM ARC RORI

C1.2 & C2.1 0.10 0.70 0.31 2,250€ 106.56%

C1.2 & C2.2 0.00 0.70 0.43 1,800€ 188.52%

C2.1 & C2.2 0.00 0.70 0.40 2, 050€ 157.23%

C1.2 & C2.1 & C2.2 0.09 0.70 0.55 3,050€ 177.61%

ARC(C1 ⋃ C2) = ARC(C1) + ARC(C2)RM(C1⋃C2) = SC(C1) x EF(C1) + SC(C2) x EF(C2) –

SC(C1⋂C2) x min{EF(C1), EF(C2)}


Countermeasure Analysis

Counter -measure

Coverage (%)

Residual Risk (units3)

Residual Risk (%)

Potential Collateral Damage (units3)

Potential Collateral Damage (%)

C1.1 3.55% 10, 549,512 96.45% 818,100 67.79%

C1.2 30.06% 7, 649,712 69.94% 54,167,400 94.28%

C1.3 29.80% 7,678,197 70.20% 22,151,205 87.17%

Additional InformationAdditional Information


C1.3 29.80% 7,678,197 70.20% 22,151,205 87.17%

C2.1 24.65% 8,241,660 75.35% 32,428,188 92.32%

C2.2 28.63% 7,806,312 71.37% 52,920,000 94.41%

C2.3 3.74% 10,529,505 96.26% 14,340,861 97.19%


Conclusion

■ I hope that I have shown you that counter-measures are an interesting subject● Amongst others ☺

● A natural extension to dynamic security monitoring● More to do than simply shut down


■ Many issues to solve● In particular the opposition between availability and

integrity/confidentiality


towards a quantitative approach to attack...

Documents